2 files changed, 219 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-32023.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-32023.patch
new file mode 100644
index 0000000000..eb7e81c0b9
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-32023.patch
@@ -0,0 +1,218 @@
+From 50188747cbfe43528d2719399a2a3c9599169445 Mon Sep 17 00:00:00 2001
+From: "debing.sun" <debing.sun@redis.com>
+Date: Wed, 7 May 2025 18:25:06 +0800
+Subject: [PATCH] Fix out of bounds write in hyperloglog commands
+ (CVE-2025-32023)
+Co-authored-by: oranagra <oran@redislabs.com>
+Upstream-Status: Backport [https://github.com/redis/redis/commit/50188747cbfe43528d2719399a2a3c9599169445]
+CVE: CVE-2025-32023
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/hyperloglog.c          | 47 +++++++++++++++++++++++++++++++----
+ tests/unit/hyperloglog.tcl | 51 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 93 insertions(+), 5 deletions(-)
+diff --git a/src/hyperloglog.c b/src/hyperloglog.c
+index 1a74f47..ca592a0 100644
+--- a/src/hyperloglog.c
+++ b/src/hyperloglog.c
+@@ -587,6 +587,7 @@ int hllSparseToDense(robj *o) {
+     struct hllhdr *hdr, *oldhdr = (struct hllhdr*)sparse;
+     int idx = 0, runlen, regval;
+     uint8_t *p = (uint8_t*)sparse, *end = p+sdslen(sparse);
+    int valid = 1;
+ 
+     /* If the representation is already the right one return ASAP. */
+     hdr = (struct hllhdr*) sparse;
+@@ -606,16 +607,27 @@ int hllSparseToDense(robj *o) {
+     while(p < end) {
+         if (HLL_SPARSE_IS_ZERO(p)) {
+             runlen = HLL_SPARSE_ZERO_LEN(p);
+            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+                valid = 0;
+                break;
+            }
+             idx += runlen;
+             p++;
+         } else if (HLL_SPARSE_IS_XZERO(p)) {
+             runlen = HLL_SPARSE_XZERO_LEN(p);
+            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+                valid = 0;
+                break;
+            }
+             idx += runlen;
+             p += 2;
+         } else {
+             runlen = HLL_SPARSE_VAL_LEN(p);
+             regval = HLL_SPARSE_VAL_VALUE(p);
+-            if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */
+            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+                valid = 0;
+                break;
+            }
+             while(runlen--) {
+                 HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
+                 idx++;
+@@ -626,7 +638,7 @@ int hllSparseToDense(robj *o) {
+ 
+     /* If the sparse representation was valid, we expect to find idx
+      * set to HLL_REGISTERS. */
+-    if (idx != HLL_REGISTERS) {
+    if (!valid || idx != HLL_REGISTERS) {
+         sdsfree(dense);
+         return C_ERR;
+     }
+@@ -923,27 +935,40 @@ int hllSparseAdd(robj *o, unsigned char *ele, size_t elesize) {
+ void hllSparseRegHisto(uint8_t *sparse, int sparselen, int *invalid, int* reghisto) {
+     int idx = 0, runlen, regval;
+     uint8_t *end = sparse+sparselen, *p = sparse;
+    int valid = 1;
+ 
+     while(p < end) {
+         if (HLL_SPARSE_IS_ZERO(p)) {
+             runlen = HLL_SPARSE_ZERO_LEN(p);
+            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+                valid = 0;
+                break;
+            }
+             idx += runlen;
+             reghisto[0] += runlen;
+             p++;
+         } else if (HLL_SPARSE_IS_XZERO(p)) {
+             runlen = HLL_SPARSE_XZERO_LEN(p);
+            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+                valid = 0;
+                break;
+            }
+             idx += runlen;
+             reghisto[0] += runlen;
+             p += 2;
+         } else {
+             runlen = HLL_SPARSE_VAL_LEN(p);
+             regval = HLL_SPARSE_VAL_VALUE(p);
+            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+                valid = 0;
+                break;
+            }
+             idx += runlen;
+             reghisto[regval] += runlen;
+             p++;
+         }
+     }
+-    if (idx != HLL_REGISTERS && invalid) *invalid = 1;
+    if ((!valid || idx != HLL_REGISTERS) && invalid) *invalid = 1;
+ }
+ 
+ /* ========================= HyperLogLog Count ==============================
+@@ -1091,22 +1116,34 @@ int hllMerge(uint8_t *max, robj *hll) {
+     } else {
+         uint8_t *p = hll->ptr, *end = p + sdslen(hll->ptr);
+         long runlen, regval;
+        int valid = 1;
+ 
+         p += HLL_HDR_SIZE;
+         i = 0;
+         while(p < end) {
+             if (HLL_SPARSE_IS_ZERO(p)) {
+                 runlen = HLL_SPARSE_ZERO_LEN(p);
+                if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
+                    valid = 0;
+                    break;
+                }
+                 i += runlen;
+                 p++;
+             } else if (HLL_SPARSE_IS_XZERO(p)) {
+                 runlen = HLL_SPARSE_XZERO_LEN(p);
+                if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
+                    valid = 0;
+                    break;
+                }
+                 i += runlen;
+                 p += 2;
+             } else {
+                 runlen = HLL_SPARSE_VAL_LEN(p);
+                 regval = HLL_SPARSE_VAL_VALUE(p);
+-                if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */
+                if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
+                    valid = 0;
+                    break;
+                }
+                 while(runlen--) {
+                     if (regval > max[i]) max[i] = regval;
+                     i++;
+@@ -1114,7 +1151,7 @@ int hllMerge(uint8_t *max, robj *hll) {
+                 p++;
+             }
+         }
+-        if (i != HLL_REGISTERS) return C_ERR;
+        if (!valid || i != HLL_REGISTERS) return C_ERR;
+     }
+     return C_OK;
+ }
+diff --git a/tests/unit/hyperloglog.tcl b/tests/unit/hyperloglog.tcl
+index ee43718..bc90eb2 100644
+--- a/tests/unit/hyperloglog.tcl
+++ b/tests/unit/hyperloglog.tcl
+@@ -137,6 +137,57 @@ start_server {tags {"hll"}} {
+         set e
+     } {*WRONGTYPE*}
+ 
+    test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with XZERO opcode} {
+        r del hll
+        
+        # Create a sparse-encoded HyperLogLog header
+        set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]]
+
+        # Create an XZERO opcode with the maximum run length of 16384(2^14)
+        set runlen [expr 16384 - 1]
+        set chunk [binary format cc [expr {0b01000000 | ($runlen >> 8)}] [expr {$runlen & 0xff}]]
+        # Fill the HLL with more than 131072(2^17) XZERO opcodes to make the total
+        # run length exceed 4GB, will cause an integer overflow.
+        set repeat [expr 131072 + 1000]
+        for {set i 0} {$i < $repeat} {incr i} {
+            append pl $chunk
+        }
+
+        # Create a VAL opcode with a value that will cause out-of-bounds.
+        append pl [binary format c 0b11111111]
+        r set hll $pl
+
+        # This should not overflow and out-of-bounds.
+        assert_error {*INVALIDOBJ*} {r pfcount hll hll}
+        assert_error {*INVALIDOBJ*} {r pfdebug getreg hll}
+        r ping
+    }
+
+    test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with ZERO opcode} {
+        r del hll
+        
+        # Create a sparse-encoded HyperLogLog header
+        set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]]
+
+        # # Create an ZERO opcode with the maximum run length of 64(2^6)
+        set chunk [binary format c [expr {0b00000000 | 0x3f}]]
+        # Fill the HLL with more than 33554432(2^17) ZERO opcodes to make the total
+        # run length exceed 4GB, will cause an integer overflow.
+        set repeat [expr 33554432 + 1000]
+        for {set i 0} {$i < $repeat} {incr i} {
+            append pl $chunk
+        }
+
+        # Create a VAL opcode with a value that will cause out-of-bounds.
+        append pl [binary format c 0b11111111]
+        r set hll $pl
+
+        # This should not overflow and out-of-bounds.
+        assert_error {*INVALIDOBJ*} {r pfcount hll hll}
+        assert_error {*INVALIDOBJ*} {r pfdebug getreg hll}
+        r ping
+    }
+
+     test {Corrupted dense HyperLogLogs are detected: Wrong length} {
+         r del hll
+         r pfadd hll a b c
+-- 
+2.49.0
diff --git a/meta-oe/recipes-extended/redis/redis_7.2.8.bb b/meta-oe/recipes-extended/redis/redis_7.2.8.bb
index bf9de7a166..a1739b4f30 100644
--- a/meta-oe/recipes-extended/redis/redis_7.2.8.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.2.8.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://0004-src-Do-not-reset-FINAL_LIBS.patch \
           file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \
           file://0006-Define-correct-gregs-for-RISCV32.patch \
+           file://CVE-2025-32023.patch \
          "
 SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574"

diff --git a/meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-32023.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-32023.patch new file mode 100644 index 0000000000..eb7e81c0b9 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-32023.patch
@@ -0,0 +1,218 @@
		1	From 50188747cbfe43528d2719399a2a3c9599169445 Mon Sep 17 00:00:00 2001
		2	From: "debing.sun" <debing.sun@redis.com>
		3	Date: Wed, 7 May 2025 18:25:06 +0800
		4	Subject: [PATCH] Fix out of bounds write in hyperloglog commands
		5	(CVE-2025-32023)
		6
		7	Co-authored-by: oranagra <oran@redislabs.com>
		8
		9	Upstream-Status: Backport [https://github.com/redis/redis/commit/50188747cbfe43528d2719399a2a3c9599169445]
		10	CVE: CVE-2025-32023
		11	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		12	---
		13	src/hyperloglog.c \| 47 +++++++++++++++++++++++++++++++----
		14	tests/unit/hyperloglog.tcl \| 51 ++++++++++++++++++++++++++++++++++++++
		15	2 files changed, 93 insertions(+), 5 deletions(-)
		16
		17	diff --git a/src/hyperloglog.c b/src/hyperloglog.c
		18	index 1a74f47..ca592a0 100644
		19	--- a/src/hyperloglog.c
		20	+++ b/src/hyperloglog.c
		21	@@ -587,6 +587,7 @@ int hllSparseToDense(robj *o) {
		22	struct hllhdr hdr, oldhdr = (struct hllhdr*)sparse;
		23	int idx = 0, runlen, regval;
		24	uint8_t p = (uint8_t)sparse, *end = p+sdslen(sparse);
		25	+ int valid = 1;
		26
		27	/* If the representation is already the right one return ASAP. */
		28	hdr = (struct hllhdr*) sparse;
		29	@@ -606,16 +607,27 @@ int hllSparseToDense(robj *o) {
		30	while(p < end) {
		31	if (HLL_SPARSE_IS_ZERO(p)) {
		32	runlen = HLL_SPARSE_ZERO_LEN(p);
		33	+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
		34	+ valid = 0;
		35	+ break;
		36	+ }
		37	idx += runlen;
		38	p++;
		39	} else if (HLL_SPARSE_IS_XZERO(p)) {
		40	runlen = HLL_SPARSE_XZERO_LEN(p);
		41	+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
		42	+ valid = 0;
		43	+ break;
		44	+ }
		45	idx += runlen;
		46	p += 2;
		47	} else {
		48	runlen = HLL_SPARSE_VAL_LEN(p);
		49	regval = HLL_SPARSE_VAL_VALUE(p);
		50	- if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */
		51	+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
		52	+ valid = 0;
		53	+ break;
		54	+ }
		55	while(runlen--) {
		56	HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
		57	idx++;
		58	@@ -626,7 +638,7 @@ int hllSparseToDense(robj *o) {
		59
		60	/* If the sparse representation was valid, we expect to find idx
		61	* set to HLL_REGISTERS. */
		62	- if (idx != HLL_REGISTERS) {
		63	+ if (!valid \|\| idx != HLL_REGISTERS) {
		64	sdsfree(dense);
		65	return C_ERR;
		66	}
		67	@@ -923,27 +935,40 @@ int hllSparseAdd(robj o, unsigned char ele, size_t elesize) {
		68	void hllSparseRegHisto(uint8_t sparse, int sparselen, int invalid, int* reghisto) {
		69	int idx = 0, runlen, regval;
		70	uint8_t end = sparse+sparselen, p = sparse;
		71	+ int valid = 1;
		72
		73	while(p < end) {
		74	if (HLL_SPARSE_IS_ZERO(p)) {
		75	runlen = HLL_SPARSE_ZERO_LEN(p);
		76	+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
		77	+ valid = 0;
		78	+ break;
		79	+ }
		80	idx += runlen;
		81	reghisto[0] += runlen;
		82	p++;
		83	} else if (HLL_SPARSE_IS_XZERO(p)) {
		84	runlen = HLL_SPARSE_XZERO_LEN(p);
		85	+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
		86	+ valid = 0;
		87	+ break;
		88	+ }
		89	idx += runlen;
		90	reghisto[0] += runlen;
		91	p += 2;
		92	} else {
		93	runlen = HLL_SPARSE_VAL_LEN(p);
		94	regval = HLL_SPARSE_VAL_VALUE(p);
		95	+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
		96	+ valid = 0;
		97	+ break;
		98	+ }
		99	idx += runlen;
		100	reghisto[regval] += runlen;
		101	p++;
		102	}
		103	}
		104	- if (idx != HLL_REGISTERS && invalid) *invalid = 1;
		105	+ if ((!valid \|\| idx != HLL_REGISTERS) && invalid) *invalid = 1;
		106	}
		107
		108	/* ========================= HyperLogLog Count ==============================
		109	@@ -1091,22 +1116,34 @@ int hllMerge(uint8_t max, robj hll) {
		110	} else {
		111	uint8_t p = hll->ptr, end = p + sdslen(hll->ptr);
		112	long runlen, regval;
		113	+ int valid = 1;
		114
		115	p += HLL_HDR_SIZE;
		116	i = 0;
		117	while(p < end) {
		118	if (HLL_SPARSE_IS_ZERO(p)) {
		119	runlen = HLL_SPARSE_ZERO_LEN(p);
		120	+ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
		121	+ valid = 0;
		122	+ break;
		123	+ }
		124	i += runlen;
		125	p++;
		126	} else if (HLL_SPARSE_IS_XZERO(p)) {
		127	runlen = HLL_SPARSE_XZERO_LEN(p);
		128	+ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
		129	+ valid = 0;
		130	+ break;
		131	+ }
		132	i += runlen;
		133	p += 2;
		134	} else {
		135	runlen = HLL_SPARSE_VAL_LEN(p);
		136	regval = HLL_SPARSE_VAL_VALUE(p);
		137	- if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */
		138	+ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
		139	+ valid = 0;
		140	+ break;
		141	+ }
		142	while(runlen--) {
		143	if (regval > max[i]) max[i] = regval;
		144	i++;
		145	@@ -1114,7 +1151,7 @@ int hllMerge(uint8_t max, robj hll) {
		146	p++;
		147	}
		148	}
		149	- if (i != HLL_REGISTERS) return C_ERR;
		150	+ if (!valid \|\| i != HLL_REGISTERS) return C_ERR;
		151	}
		152	return C_OK;
		153	}
		154	diff --git a/tests/unit/hyperloglog.tcl b/tests/unit/hyperloglog.tcl
		155	index ee43718..bc90eb2 100644
		156	--- a/tests/unit/hyperloglog.tcl
		157	+++ b/tests/unit/hyperloglog.tcl
		158	@@ -137,6 +137,57 @@ start_server {tags {"hll"}} {
		159	set e
		160	} {WRONGTYPE}
		161
		162	+ test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with XZERO opcode} {
		163	+ r del hll
		164	+
		165	+ # Create a sparse-encoded HyperLogLog header
		166	+ set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]]
		167	+
		168	+ # Create an XZERO opcode with the maximum run length of 16384(2^14)
		169	+ set runlen [expr 16384 - 1]
		170	+ set chunk [binary format cc [expr {0b01000000 \| ($runlen >> 8)}] [expr {$runlen & 0xff}]]
		171	+ # Fill the HLL with more than 131072(2^17) XZERO opcodes to make the total
		172	+ # run length exceed 4GB, will cause an integer overflow.
		173	+ set repeat [expr 131072 + 1000]
		174	+ for {set i 0} {$i < $repeat} {incr i} {
		175	+ append pl $chunk
		176	+ }
		177	+
		178	+ # Create a VAL opcode with a value that will cause out-of-bounds.
		179	+ append pl [binary format c 0b11111111]
		180	+ r set hll $pl
		181	+
		182	+ # This should not overflow and out-of-bounds.
		183	+ assert_error {INVALIDOBJ} {r pfcount hll hll}
		184	+ assert_error {INVALIDOBJ} {r pfdebug getreg hll}
		185	+ r ping
		186	+ }
		187	+
		188	+ test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with ZERO opcode} {
		189	+ r del hll
		190	+
		191	+ # Create a sparse-encoded HyperLogLog header
		192	+ set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]]
		193	+
		194	+ # # Create an ZERO opcode with the maximum run length of 64(2^6)
		195	+ set chunk [binary format c [expr {0b00000000 \| 0x3f}]]
		196	+ # Fill the HLL with more than 33554432(2^17) ZERO opcodes to make the total
		197	+ # run length exceed 4GB, will cause an integer overflow.
		198	+ set repeat [expr 33554432 + 1000]
		199	+ for {set i 0} {$i < $repeat} {incr i} {
		200	+ append pl $chunk
		201	+ }
		202	+
		203	+ # Create a VAL opcode with a value that will cause out-of-bounds.
		204	+ append pl [binary format c 0b11111111]
		205	+ r set hll $pl
		206	+
		207	+ # This should not overflow and out-of-bounds.
		208	+ assert_error {INVALIDOBJ} {r pfcount hll hll}
		209	+ assert_error {INVALIDOBJ} {r pfdebug getreg hll}
		210	+ r ping
		211	+ }
		212	+
		213	test {Corrupted dense HyperLogLogs are detected: Wrong length} {
		214	r del hll
		215	r pfadd hll a b c
		216	--
		217	2.49.0
		218


diff --git a/meta-oe/recipes-extended/redis/redis_7.2.8.bb b/meta-oe/recipes-extended/redis/redis_7.2.8.bb index bf9de7a166..a1739b4f30 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.8.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.8.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
16	file://0004-src-Do-not-reset-FINAL_LIBS.patch \	16	file://0004-src-Do-not-reset-FINAL_LIBS.patch \
17	file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \	17	file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \
18	file://0006-Define-correct-gregs-for-RISCV32.patch \	18	file://0006-Define-correct-gregs-for-RISCV32.patch \
		19	file://CVE-2025-32023.patch \
19	"	20	"
20		21
21	SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574"	22	SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574"